The latest Microsoft AZ-500 Azure Security Technologies certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft AZ-500 Azure Security Technologies exam and earn Microsoft AZ-500 Azure Security Technologies certification.
Table of Contents
- AZ-500 Question 331
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 332
- Question
- Answer
- AZ-500 Question 333
- Question
- Answer
- Explanation
- AZ-500 Question 334
- Question
- Answer
- AZ-500 Question 335
- Question
- Answer
- Reference
- AZ-500 Question 336
- Question
- Answer
- Reference
- AZ-500 Question 337
- Question
- Answer
- Reference
- AZ-500 Question 338
- Question
- Answer
- Reference
- AZ-500 Question 339
- Question
- Answer
- Explanation
- Reference
- AZ-500 Question 340
- Question
- Answer
AZ-500 Question 331
Question
SIMULATION
You need to collect all the audit failure data from the security log of a virtual machine named VM1 to an Azure Storage account.
To complete this task, sign in to the Azure portal.
This task might take several minutes to complete You can perform other tasks while the task completes.
Answer
See the explanation below.
Explanation
Step 1: Create a workspace Azure Monitor can collect data directly from your Azure virtual machines into a Log Analytics workspace for detailed analysis and correlation.
1. In the Azure portal, select All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces.
2. Select Create, and then select choices for the following items:
3. After providing the required information on the Log Analytics workspace pane, select OK.
While the information is verified and the workspace is created, you can track its progress under Notifications from the menu.
Step 2: Enable the Log Analytics VM Extension Installing the Log Analytics VM extension for Windows and Linux allows Azure Monitor to collect data from your Azure VMs.
- In the Azure portal, select All services found in the upper left-hand corner. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces.
- In your list of Log Analytics workspaces, select DefaultWorkspace (the name you created in step 1).
- On the left-hand menu, under Workspace Data Sources, select Virtual machines.
- In the list of Virtual machines, select a virtual machine you want to install the agent on. Notice that the Log Analytics connection status for the VM indicates that it is Not connected.
- In the details for your virtual machine, select Connect. The agent is automatically installed and configured for your Log Analytics workspace. This process takes a few minutes, during which time the Status shows Connecting.
After you install and connect the agent, the Log Analytics connection status will be updated with This workspace.
Reference
- Azure > Azure Monitor > Monitor virtual machines with Azure Monitor
AZ-500 Question 332
Question
HOTSPOT
You have an Azure subscription that contains the resources shown in the following table.
| Name | Type | Region | Resource group |
|---|---|---|---|
| SQL1 | Azure SQL database | East US | RG1 |
| Analytics1 | Azure Log Analytics Workspace | East US | RG1 |
| Analytics2 | Azure Log Analytics Workspace | East US | RG2 |
| Analytics3 | Azure Log Analytics Workspace | West Europe | RG1 |
You create the Azure Storage accounts shown in the following table.
| Name | Region | Resource group | Storage account type | Access tier (default) |
|---|---|---|---|---|
| Storage1 | East US | RG1 | Blob | Cool |
| Storage2 | East US | RG2 | General purpose V1 | Not applicable |
| Storage3 | West Europe | RG1 | General purpose V2 | Hot |
You need to configure auditing for SQL1.
Which storage accounts and Log Analytics workspaces can you use as the audit log destination? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Storage accounts that can be used as the audit log destination:
- Storage1 only
- Storage2 only
- Storage1 and Storage2 only
- Storage1, Storage2, and Storage3
Log Analytics workspaces that can be used as the audit log destination:
- Analytics1 only
- Analytics1 and Analytics2 only
- Analytics1 and Analytics3 only
- Analytics1, Analytics2, and Analytics3
Answer
Storage accounts that can be used as the audit log destination: Storage2 only
Log Analytics workspaces that can be used as the audit log destination: Analytics1, Analytics2, and Analytics3
AZ-500 Question 333
Question
SIMULATION
You need to ensure that the events in the NetworkSecurityGroupRuleCounter log of the VNET01-Subnet0-NSG network security group (NSG) are stored in the logs11597200 Azure Storage account for 30 days.
To complete this task, sign in to the Azure portal.
Answer
See the explanation below.
Explanation
You need to configure the diagnostic logging for the NetworkSecurityGroupRuleCounter log.
- In the Azure portal, type Network Security Groups in the search box, select Network Security Groups from the search results then select VNET01-Subnet0-NSG. Alternatively, browse to Network Security Groups in the left navigation pane.
- In the properties of the Network Security Group, click on Diagnostic Settings.
- Click on the Add diagnostic setting link.
- Provide a name in the Diagnostic settings name field. It doesn’t matter what name you provide for the exam.
- In the Log section, select NetworkSecurityGroupRuleCounter.
- In the Destination details section, select Archive to a storage account.
- In the Storage account field, select the logs11597200 storage account.
- In the Retention (days) field, enter 30.
- Click the Save button to save the changes.
AZ-500 Question 334
Question
You are collecting events from Azure virtual machines to an Azure Log Analytics workspace.
You plan to create alerts based on the collected events.
You need to identify which Azure services can be used to create the alerts.
Which two services should you identify? Each correct answer presents a complete solution NOTE: Each correct selection is worth one point.
A. Azure Monitor
B. Azure Security Center
C. Azure Analytics Services
D. Azure Sentinel
E. Azure Advisor
Answer
A. Azure Monitor
D. Azure Sentinel
AZ-500 Question 335
Question
HOTSPOT
You plan to use Azure Sentinel to create an analytic rule that will detect suspicious threats and automate responses.
Which components are required for the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Detect suspicious threats:
- A Kusto query language query
- A Transact-SQL query
- An Azure PowerShell query
- An Azure Sentinel playbook
Automate responses:
- An Azure Function app
- An Azure PowerShell script
- An Azure Sentinel playbook
- An Azure Sentinel workbook
Answer
Detect suspicious threats: A Kusto query language query
Automate responses: An Azure Sentinel playbook
Reference
- Azure > Security > Microsoft Sentinel > Tutorial: Use playbooks with automation rules in Microsoft Sentinel
- Azure > Security > Microsoft Sentinel > Create custom analytics rules to detect threats
- Azure > Security > Microsoft Sentinel > Tutorial: Use playbooks with automation rules in Microsoft Sentinel
AZ-500 Question 336
Question
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
| Name | Role |
|---|---|
| Admin1 | Global administrator |
| Admin2 | Group administrator |
| Admin3 | User administrator |
Contoso.com contains a group naming policy. The policy has a custom blocked word list rule that includes the word Contoso.
Which users can create a group named Contoso Sales in contoso.com? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Users who can create a security group named Contoso Sales:
- Admin1 only
- Admin1 and Admin2 only
- Admin1 and Admin3 only
- Admin1, Admin2, and Admin3
Users who can create an Office 365 group named Contoso Sales:
- Admin1 only
- Admin1 and Admin2 only
- Admin1 and Admin3 only
- Admin1, Admin2, and Admin3
Answer
Users who can create a security group named Contoso Sales: Admin1 and Admin3 only
Users who can create an Office 365 group named Contoso Sales: Admin1 and Admin3 only
Reference
- Azure > Active Directory > Enforce a naming policy on Microsoft 365 groups in Azure Active Directory
AZ-500 Question 337
Question
HOTSPOT
You have an Azure subscription that contains the following resources:
- An Azure key vault
- An Azure SQL database named Database1
Two Azure App Service web apps named AppSrv1 and AppSrv2 that are configured to use system-assigned managed identities and access Database1 You need to implement an encryption solution for Database1 that meets the following requirements:
- The data in a column named Discount in Database1 must be encrypted so that only AppSrv1 can decrypt the data.
- AppSrv1 and AppSrv2 must be authorized by using managed identities to obtain cryptographic keys.
How should you configure the encryption settings for Database1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
To configure the encryption of Database1:
- Always Encrypted by using Azure Key Vault.
- Always Encrypted by using the Windows Certificate Store.
- Transparent Data Encryption (TDE) by using Azure Key Vault integration.
- Transparent Data Encryption (TDE) by using Bring Your Own Key (BYOK).
To obtain the cryptographic keys:
- Create an access policy in Azure Key Vault.
- Generate a key on an HSM device.
- Import App Service certificates to AppSrv1 and AppSrv2.
- Register an enterprise application in Azure AD.
Answer
To configure the encryption of Database1: Always Encrypted by using Azure Key Vault.
To obtain the cryptographic keys: Generate a key on an HSM device.
Reference
- Microsoft Docs > Configure Always Encrypted by using Azure Key Vault
AZ-500 Question 338
Question
You have an Azure environment.
You need to identify any Azure configurations and workloads that are non-compliant with ISO 27001 standards.
What should you use?
A. Azure Sentinel
B. Azure Active Directory (Azure AD) Identity Protection
C. Azure Security Center
D. Azure Advanced Threat Protection (ATP)
Answer
C. Azure Security Center
Reference
- Azure > Security > Microsoft Defender for Cloud > Tutorial: Improve your regulatory compliance
AZ-500 Question 339
Question
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Subscription named Sub1.
You have an Azure Storage account named Sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in Sa1 by using several shared access signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to Sa1.
Solution: You create a new stored access policy.
Does this meet the goal?
A. Yes
Answer
A. Yes
Explanation
To revoke a stored access policy, you can either delete it, or rename it by changing the signed identifier. Changing the signed identifier breaks the associations between any existing signatures and the stored access policy. Deleting or renaming the stored access policy immediately effects all of the shared access signatures associated with it.
Reference
- Microsoft Docs > Define a stored access policy
AZ-500 Question 340
Question
You have an Azure Active Directory (Azure AD) tenant that contains two users named User1 and User2 and a registered app named App1.
You create an app-specific role named Role1.
You need to assign Role1 to User1 and enable User2 to request access to Appl.
Which two settings should you modify? To answer select the appropriate settings in the answer area
NOTE: Each correct selection is worth one point.
Owners
Roles and administrators (Preview)
Users and groups
Single sign-on
Provisioning
Application proxy
Self-service
Conditional Access
Permissions
Token encryption
Sign-ins
Usage & insights
Answer
Application proxy
Self-service